Cisco Cisco Web Security Appliance S680 Guía Del Usuario
5-14
AsyncOS 9.1.1 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Realms
What to Do Next
•
Create an Identification Profile that uses the Kerberos authentication scheme.
How to Create an Active Directory Authentication Realm (NTLMSSP and Basic)
Prerequisites for Creating an Active Directory Authentication Realm (NTLMSSP and Basic)
•
Ensure you have the rights and domain information needed to join the Web Security appliance to the
Active Directory domain you wish to authenticate against.
Active Directory domain you wish to authenticate against.
•
If you plan to use “domain” as the NTLM security mode, use only nested Active Directory groups.
If Active Directory groups are not nested, use the default value, “ads”. See
If Active Directory groups are not nested, use the default value, “ads”. See
the Command Line Interface appendix of this guide.
•
Compare the current time on the Web Security appliance with the current time on the Active
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server.
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server.
•
If the Web Security appliance is managed by a Security Management appliance, be prepared to
ensure that same-named authentication realms on different Web Security appliances have identical
properties defined on each appliance.
ensure that same-named authentication realms on different Web Security appliances have identical
properties defined on each appliance.
•
Be aware that once you commit the new realm, you cannot change a realm’s authentication protocol.
•
The WSA needs to connect to the domain controllers for all trusted domains, and to the configured
domain controllers into the NTLM realm. For authentication to work correctly, you need to open the
following ports to all domain controllers on the internal domain and on the external domain:
domain controllers into the NTLM realm. For authentication to work correctly, you need to open the
following ports to all domain controllers on the internal domain and on the external domain:
LDAP (389 UDP and TCP)
Microsoft SMB (445 TCP)
Kerberos (88 UDP)
End-point resolution – port mapper (135 TCP) Net Log-on fixed port
•
For NTLMSSP, single sign on (SSO) can be configured on client browsers. See
About Using Multiple NTLM Realms and Domains
The following rules apply in regard to using multiple NTLM realms and domains:
•
You can create up to 10 NTLM authentication realms.
•
The client IP addresses in one NTLM realm must not overlap with the client IP addresses in another
NTLM realm.
NTLM realm.
•
Each NTLM realm can join one Active Directory domain only but can authenticate users from any
domains trusted by that domain. This trust applies to other domains in the same forest by default and
to domains outside the forest to which at least a one way trust exists.
domains trusted by that domain. This trust applies to other domains in the same forest by default and
to domains outside the forest to which at least a one way trust exists.
•
Create additional NTLM realms to authenticate users in domains that are not trusted by existing
NTLM realms.
NTLM realms.